New Storm, Old Song

The new Storm (the “April Fool’s” one), also known as a CME-711/Peacomm/Nuwar/Zhelatin/Tibs, uses a cheap trick of dropping and loading a DLL named testdll_f.dll, where now all Storm’s functionality resides.

Interestingly enough, ThreatExpert Memory Scanner detected and reported the new Storm with the stone-age memory signatures, as shown below:

ThreatExpert Automation was tweaked to report the new Storm in a more efficient way.

Now, the details of the peer-to-peer botnet used by this threat are enlisted, alone with the file extensions it considers for harvesting email addresses and the email addresses it avoids touching.